1. 启动设备
2. 配置IP地址
[FW1]int g1/0/0
[FW1-GigabitEthernet1/0/0]ip add 192.168.1.254 24
[FW1-GigabitEthernet1/0/0]int g1/0/1
[FW1-GigabitEthernet1/0/1]ip add 100.1.1.1 24
[FW1-GigabitEthernet1/0/1]service-manage ping permit
[FW2]int g1/0/0
[FW2-GigabitEthernet1/0/0]ip add 192.168.2.254 24
[FW2-GigabitEthernet1/0/0]int g1/0/1
[FW2-GigabitEthernet1/0/1]ip add 200.1.1.2 24
[FW2-GigabitEthernet1/0/1]service-manage ping permit
[AR1]int g0/0/0
[AR1-GigabitEthernet0/0/0]ip add 100.1.1.2 24
[AR1-GigabitEthernet0/0/0]int g0/0/1
[AR1-GigabitEthernet0/0/1]ip add 200.1.1.1 24
3. 配置Tunnel接口
[FW1]int Tunnel 0
[FW1-Tunnel0]ip add 172.16.1.1 24
[FW1-Tunnel0]tunnel-protocol gre
[FW1-Tunnel0]source 100.1.1.1
[FW1-Tunnel0]destination 200.1.1.2
[FW2]int Tunnel 0
[FW2-Tunnel0]ip add 172.16.1.2 24
[FW2-Tunnel0]tunnel-protocol gre
[FW2-Tunnel0]source 200.1.1.2
[FW2-Tunnel0]destination 100.1.1.1
4. 将防火墙接口加入指定区域
[FW1]firewall zone trust
[FW1-zone-trust]add int g1/0/0
[FW1-zone-trust]q
[FW1]firewall zone untrust
[FW1-zone-untrust]add int g1/0/1
[FW1-zone-untrust]add int Tunnel 0
[FW2]firewall zone trust
[FW2-zone-trust]add int g1/0/0
[FW2-zone-trust]q
[FW2]firewall zone untrust
[FW2-zone-untrust]add int g1/0/1
[FW2-zone-untrust]add int Tunnel 0
5. 配置OSPF
[FW1]ospf 1
[FW1-ospf-1]area 0
[FW1-ospf-1-area-0.0.0.0]network 100.1.1.0 0.0.0.255
[AR1]ospf 1
[AR1-ospf-1]area 0
[AR1-ospf-1-area-0.0.0.0]network 100.1.1.0 0.0.0.255
[AR1-ospf-1-area-0.0.0.0]network 200.1.1.0 0.0.0.255
[FW2]ospf 1
[FW2-ospf-1]area 0
[FW2-ospf-1-area-0.0.0.0]network 200.1.1.0 0.0.0.255
6. 配置路由条目
[FW1]ip route-static 192.168.2.0 24 Tunnel 0
[FW2]ip route-static 192.168.1.0 24 Tunnel 0
7. 配置防火墙策略
[FW1]security-policy
[FW1-policy-security]rule name local-untrust
[FW1-policy-security-rule-local-untrust]source-zone local
[FW1-policy-security-rule-local-untrust]destination-zone untrust
[FW1-policy-security-rule-local-untrust]source-address 100.1.1.0 0.0.0.255
[FW1-policy-security-rule-local-untrust]destination-address 200.1.1.0 0.0.0.255
[FW1-policy-security-rule-local-untrust]action permit
[FW1-policy-security-rule-local-untrust]q
[FW1-policy-security]rule name untrust-local
[FW1-policy-security-rule-untrust-local]source-zone untrust
[FW1-policy-security-rule-untrust-local]destination-zone local
[FW1-policy-security-rule-untrust-local]source-address 200.1.1.0 0.0.0.255
[FW1-policy-security-rule-untrust-local]destination-address 100.1.1.0 0.0.0.255
[FW1-policy-security-rule-untrust-local]action permit
[FW1-policy-security-rule-untrust-local]q
[FW1-policy-security]rule name trust-untrust
[FW1-policy-security-rule-trust-untrust]source-zone trust
[FW1-policy-security-rule-trust-untrust]destination-zone untrust
[FW1-policy-security-rule-trust-untrust]source-address 192.168.1.0 0.0.0.255
[FW1-policy-security-rule-trust-untrust]action permit
[FW1-policy-security-rule-trust-untrust]q
[FW1-policy-security]rule name untrust-trust
[FW1-policy-security-rule-untrust-trust]source-zone untrust
[FW1-policy-security-rule-untrust-trust]destination-zone trust
[FW1-policy-security-rule-untrust-trust]action permit
[FW2]security-policy
[FW2-policy-security]rule name untrust-local
[FW2-policy-security-rule-untrust-local]source-zone untrust
[FW2-policy-security-rule-untrust-local]destination-zone local
[FW2-policy-security-rule-untrust-local]action permit
[FW2-policy-security-rule-untrust-local]q
[FW2-policy-security]rule name local-untrust
[FW2-policy-security-rule-local-untrust]source-zone local
[FW2-policy-security-rule-local-untrust]destination-zone untrust
[FW2-policy-security-rule-local-untrust]action permit
[FW2-policy-security-rule-local-untrust]q
[FW2-policy-security]rule name trust-untrust
[FW2-policy-security-rule-trust-untrust]source-zone trust
[FW2-policy-security-rule-trust-untrust]destination-zone untrust
[FW2-policy-security-rule-trust-untrust]source-address 192.168.2.0 0.0.0.255
[FW2-policy-security-rule-trust-untrust]action permit
[FW2-policy-security-rule-trust-untrust]q
[FW2-policy-security]rule name untrust-trust
[FW2-policy-security-rule-untrust-trust]source-zone untrust
[FW2-policy-security-rule-untrust-trust]destination-zone trust
[FW2-policy-security-rule-untrust-trust]source-address 192.168.1.0 0.0.0.255
[FW2-policy-security-rule-untrust-trust]action permit
8. 配置NAT策略
[FW1]nat-policy
[FW1-policy-nat]rule name trust-untrust
[FW1-policy-nat-rule-trust-untrust]source-zone trust
[FW1-policy-nat-rule-trust-untrust]destination-zone untrust
[FW1-policy-nat-rule-trust-untrust]source-address 192.168.1.0 0.0.0.255
[FW1-policy-nat-rule-trust-untrust]action source-nat easy-ip
[FW2]nat-policy
[FW2-policy-nat]rule name trust-untrust
[FW2-policy-nat-rule-trust-untrust]source-zone trust
[FW2-policy-nat-rule-trust-untrust]destination-zone untrust
[FW2-policy-nat-rule-trust-untrust]source-address 192.168.2.0 0.0.0.255
[FW2-policy-nat-rule-trust-untrust]action source-nat easy-ip
验证:
1.pc2ping 通pc1
2. 查看FW2防火墙会话表(看GRE协议的数据包走向)
3. 查看NAT地址转换(pc2ping100.1.1.1时,查看防火墙会话表,可以看到私网地址转换成200.1.1.2后访问100.1.1.1)
4. 抓FW2G1/0/1端口的包查看(GRE的端口是47)